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1. Introduction 



This User Guide describes the HammerHead/CPX Flow & Packet Capture appliance and how to 
configure and use the system's tools. 



Overview Your HammerHead/CPX Flow & Packet Capture appliance is an integrated solution for high- 

fidelity recording and retrieval of network traffic. 




Hardware Your HammerHead/CPX appliance provides a powerful, hardware-accelerated platform for 

Acceleration capturing, searching, and replaying Ethernet frames. The multi-threaded software is tightly 

integrated with an intelligent capture adapter and high-performance SAS RAID controller that 

offer: 

• Full 20-Gbps sustained packet capture with zero packet loss 

• Zero-copy DMA transfer to host memory with cache-hit optimization 

• High-speed frame read/write utilizing a tuned journaling file system 



Industry Standard Your HammerHead/CPX reads and writes packets in the industry-standard PCAP format. By 
Format default, packets are saved in PCAP format using a nanosecond time stamp. HammerHead/CPX 

sets the header of the PCAP file appropriately using the NSEC_TCPDUMP_MAGIC number. This 
number is recognized and used by tools such as TCPDump and Wireshark. Contact nPulse for 
TCPDump updates to support nanosecond timestamp. 
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Hardware Your HammerHead/CPX appliances are available as 1, 3, or 4 rack-unit (RU) chassis that include: 

• Up to two Xeon E5-2620 2.0 hex-core processors 

• Up to 32 GB of RAM 

• Two 1-Gbps or two 10-Gbps management network interfaces 

• Separate 10/100/1000 IPMI interface (out of band - lights out management) 

• Up to 36 drives (each at 1 or 2 TB capacity) or optional Fiber Channel connection to 
external storage 

• Hardware interface adapters with SFP or SFP+ pluggable transceivers 

Software OS 

The HammerHead/CPX software is built on a secured and locked down Linux 2.6 distribution. 
User Interface 

HammerHead/CPX uses a tabbed, graphical Web-based interface, and provides command line 
access for system administration and for file tasks not available through the GUI. 
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2. Before You Begin 

Your HammerHead/CPX appliance is designed for use by network operations and security 
personnel with an intermediate knowledge of Internet protocols. 

Qualifications To get the most from your HammerHead/CPX Flow & Packet Capture appliance, you should have 

experience with network analysis using the Wireshark toolset or similar products. 

nPulse recommends training for users without network packet analysis experience. 



Resources To learn more about basic packet analysis and packet manipulation, please refer to the following 

resources: 

On the Web 

• www.wireshark.org 

• www.tcpdump.org 

Books 

• Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems by 
Chris Sanders 
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3. Getting Started 

This section describes how to start using your HammerHead/CPX appliance, including: 

• Logging In 

• Configuring the Network Interface 

• Configuring TACACS Login Authentication 

• Configuring Remote Login with Secure Shell (SSH) 

• Configuring the Date & Time and Time Synchronization 

Logging In To log in using the command line, connect directly to your HammerHead/CPX using the serial 

port. See the HammerHead/CPX Installation Guide for initial 
setup and hardware connections. Log in using the following credentials: 

Username: hhadmin 

Password: hammerhead 

Once you authenticate, you will be dropped into a locked-down, menu-driven shell with 
HammerHead> as the prompt. Type "?" for help. 

For security, we recommend that you change the factory default password. See next section for 
details. 

Configuring the To configure the network interface, follow these steps: 
Network Interface 

1. From the HammerHead> prompt, type enable and enter your password. 

2. Next, type configure hammerhead 

3. To run the initial setup script, type setup 

4. When prompted, enter the hostname, interface IP address, netmask, gateway, 
DNS, NTP servers, IPMI IP address, IPMI netmask, and IPMI gateway. 

Press Return without entering a new value to use current value (current values are 
shown in square brackets [...] ). 

5. You will be asked if you would like to change the password for hhadmin. 

6. Select y and enter your new password. Confirm the password and press Return 
to continue. 

7. Type y to save your changes. The network interface can also be configured 
using the Web Ul. See Section 10, General Information Settings . 
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Exit from configuration and privileged modes and restart the networking 
services using the following commands: 

shell 

sudo /etc/init . d/networking restart 

Exit shell mode and test your connectivity and name resolution by pinging a 
machine with a fully qualified hostname. For example: 

ping <fully qualified hostname> 
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Configuring To enable TACACS authentication for user logins, edit the /etc/pam. d/tacacs file and 

TACACS Login replace the server=10 .7.7.11 with the IP address of the desired TACACS server. For 

Authentication assistance editing the TACACS file, contact nPulse support. 

Note that this information is also provided in the HammerHead/CPX Installation Guide. 



Configuring SSH is enabled and configured to only accept Public-Key Authentication. To use your own Public- 

Remote Login with Key for Authentication, follow these steps: 
Secure Shell (SSH) 

1. Drop to a shell from the command line. 

2. Generate a key pair on the client machine. For example: 

ssh-keygen -t rsa 

3. Place a copy of -/ . ssh/id_rsa .pub in the . ssh/authorized_key file of the 
user's home directory on your HammerHead/CPX. 

4. To enable password authentication, edit /etc/ssh/sshd_conf ig and set 
PasswordAuthentication to yes. 

For more details, view the manual pages by typing man sshd_conf ig or man ssh-keygen 
at the command line. 
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Configuring the 
Date & Time and 
Time 

Synchronization 



To configure the correct time zone for your HammerHead/CPX system, follow these steps: 

1. Use the shell command to drop to a shell from the command line. 

2. Type the following command: 

sudo dpkg-reconf igure tzdata 

3. Select the region and the time zone for the HammerHead/CPX's location. 

4. Configure the local date and time using: 

sudo date MMDDHHMMYY 

Note: All HammerHead/CPX capture data will be saved in GMT to correlate distributed 
searches across HammerHead/CPX platforms. 

Your HammerHead/CPX appliance can also use distributed timing synchronization, based on GPS 
or CDMA timing sources and a PTP (1588) or PPS signal input for sub second synchronization. Use 
NTP to synchronize the year, date, minute, and second. The HammerHead/CPX platform is 
configured to look for a 1PPS external input by default. If no 1PPS external input will be used, the 
following modifications should be made to synchronize the internal system OS clock: 

1. Drop to a shell from the command line and run the following commands. 

2. /etc/init . d/ hammerhead stop 

3. Modify /opt/napatech/conf ig/def ault . cf g and set OSTimeSync=l 

4. / opt/ napatech/bin/ unload_dr iver s . sh 

5. /etc/init . d/hammerhead start 



PPS Time Synchronization: Your HammerHead/CPX system will automatically synchronize to a 
1PPS signal attached to the external timing input on the interface adapter card (see 
HammerHead/CPX Installation Guide for the connector location). Typical GPS time 
synchronization accuracy is approximately 30ns. 
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Web Interface Accessing the Web Interface 

Introduction 

Access the Web interface using a secure HTTPS connection in the format: 

https : / / { ipaddress } 

The IP address is configured during initial startup. See the HammerHead/CPX Installation Guide. 
The default username is hammerhead and the default password is hammerhead. 

Recommended browsers are: 

• Microsoft Internet Explorer 8 and above 

• Google Chrome 19 and above 

• Mozilla Firefox 12 and above 

Please note that the appliance ships with self-signed SSL certificate and will generate a warning 
the first time a HammerHead/CPX appliance is accessed. Click Proceed to the site to access the 
login screen. 

Common Web Interface Items 

The Web interface includes some common items for easier analysis. The top bar shows the 
following items: 

• First Flow (the time of first flow recorded on the appliance) 

• Last Flow (the time of the last flow recorded and completed on the appliance) 

• First Packet (the time of first packet received on the appliance) 

• Current local time (derived from user's local machine) 

• Current UTC time (derived from user's local machine) 

• The username for the currently logged-in client 
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Curroat Locate 121 030 17245B Cunwrt WTC: 201 31 03021 245fl | 
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Flow Search 













Figure 1. Web interface status bar and time indicators 



The Web interface also includes a status bar along the top. The status bar on the right side 
continuously displays the time of first flow record still present in the flow index, time of the last 
or most recent flow record still present in the flow index, time of the first packet in the PCAP data 
records (oldest packet still not purged). The left side of the status bar shows the current local 
time and current UTC time. NOTE: The current and local UTC time shown on Web interface is 
derived from local the Web client and not your HammerHead/CPX appliance. 
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This section describes the HammerHead/CPX's powerful search capabilities using the Web 
interface. All searches may be run using the RESTful API as well. 

The following figure shows the Search menu: 
Home Status fi 



Flows 
Packets 
Search Queue 
Active Searches 
Browse 



Figure 2. Search menu 



Types of Searches From the Search tab or API, you can run three types of searches: 

• Flow index search 

• Packet search (BPF) 

• Packet search for data pattern (PGREP) 

Flow Index Search 

• This search uses all the standard search parameters in Table 1 and can be refined using 
the flow search parameters in Table 2. 

• Select the Expert Mode tab to enter search strings directly or select the Form Fields tab 
to use the standard form and calendar for data entry of search parameters. 

• This search is run on the flow index only. 

BPF-based Packet Search 

• A BPF search searches all packets in the given time period for the layer 1-4 protocol 
information given in the search string. 

• Select the Expert Mode tab to enter search strings directly or select the Form Fields tab 
to use the standard form and calendar for data entry of search parameters. 

• This search uses all the standard search parameters in Table 1 and includes the 

bpf : " {bpf string} " parameter to identify it as packet search. To view BPF string 
parameters see BPF Search Parameters overview. Note that packet searches cannot 
include flow search items from Table 2. 

• This search is run on the PCAP files directly. 

User Data Pattern Search (PGREP search) 

• A PGREP search searches the user data portion of recorded packets for a given pattern. 
The PGREP search can be used to search all packets in a given time or it can be used with 
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a BPF search. When used with a BPF search, the PGREP pattern search will be run only 
on the BPF search results. 

• A fixed offset is used to skip the Ethernet and IP header portions of the packet. Note that 
for some extended IP headers a small portion of the IP header may be included in the 
pattern match search. 

• This search uses all the standard search parameters in Table 1, can optionally include the 
BPF parameters in Table 3 and includes the pgrep : " {regular expression } " 
parameter to add the pattern match across user data to the search. To view PGREP 
parameters see PGREP search parameters . 

• This search is run on the PCAP files directly. 

Search Strings The HammerHead/CPX accepts search arguments in the following formats when using the expert 

mode search input screens: 

Flow search: 

[time] [flow search parameters] [common search parameters] 
Packet search: 

[time] [bpf search parameters] [common search parameters] 

User data pattern search: 

[time] [bpf search parameters] [pgrep search parameters] 
[common search parameters] 

Flow search examples 

• stime:20111101.153000 etime:20111101.153500 feed:0 

• stime:20111101.153000 

• stime:now 

• stime:0.153000etime:0.154000 

• stime:20111101.153000 etime:20111101.153500 saddr:192.1.1.1 sport:22 

Packet search examples 

• stime:20111101.153000 etime:20111101.153500 bpf:"ip[12:4] = ip[16:4]" 

• stime:0.153000 etime:0. 154000 bpf:"src host 192.1.1.1" 

User data pattern search examples 

• stime:20111101. 153000 etime:20111101. 153500 pgrep:"john. smith@yahoo.com" 

• stime:0. 153000 etime:0. 154000 bpf:"src host 192.1.1.1" pgrep:"testpattern" 

Note: If you specify BPF or PGREP search parameters, the HammerHead/CPX will perform a 

packet-based search and not a flow-based search. This searches all individual packets in 
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the specified timeframe for the parameters, and may take significantly longer than a 
standard flow search depending on the system capture load. 

Common Search Table 1 below lists the common elements that can be used in any search argument. The search 
Parameters elements can be listed in any order. The format for all common elements is: 

[parameter] : [value] 



Table 1. Common search parameters 



Parameter 


Description 


Stime 


Start time. Takes the formats: 

• YYYYMMDD.HHMMSS 

• now (starts a search at the current time and goes back to 
default time range) 

• O.HHMMSS (0 equals today's date) 

• epoch nanosecond format 


Etime 


End time. Takes the formats: 

• YYYYMMDD.HHMMSS 

• now (ends search at current time. If no stime specified, it 
searches backwards from now to default search time range) 

• O.HHMMSS (0 equals today's date) 

• epoch nanosecond format 


Feed 


The feed or feeds from which the flow or packets are captured. 


1 im it 

LI 1 1 1 1 L 


Tho mavimi im ni imhpr nf fln\A/c roti irnpH h\/ a fln\A/ cparrh nr 

1 1 It llldAIIIIUIII llUIIIUtrl Ul MUWD 1 C LUM 1 CU Uy a 1 1 \J VV DCdl LEI Ul 

maximum number of packets returned for a packet (BPF) search. 
Default value is 1000 flows if not specified. NOTE: setting limit:0 
may return large amounts of data. 


timeout 


The maximum number of seconds a flow or packet search will 
execute before timing out. Default is 300 seconds for flow search 
and 300 seconds for packet search. For flow and packet searches, 
there is a default timeout limit, defined under System Settings > 
Search. NOTE: setting timeout:0 may return large amounts of 
data. 


window 


Numeric value in seconds. When used with a stime or etime, you 
should only provide window for search around given time (i.e., 
stime:x window:y search time equals x-(y/2) to x+(y/2). 


Label 


Name to assign a search to be saved. 
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Flow Search Table 2 lists the common search parameters used in a flow search. The search elements can be 

Parameters listed in any order. The format for all flow search parameters is: 

[parameter] : [value] 



Table 2. Flow Search parameters 



Parameter 


Description 


Saddr 


Source IP address of the network flow. Enter the IP address in 
IPv4 format (nnn.nnn.nnn.nnn) or IPv6 format 
(hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh). 


Netmask may also be used for subnet searches. Enter the 

IP/nrofiv loncfh (1/nrnA/n ac flDR nntation \ Fvamnlo 1 

1 r / |JI C 1 IA ICl lg LI 1 \ M IU W 1 1 a J LI \J W IIUldlKJM.J L Adl 1 1 \J\ C 

192.168.1.1/22 or 2001:db8::/48 


Sport 


Source port of flow. Enter a value between 0 and 65535. 


Daddr 


Destination IP address of network flow. Enter the IP address in 
IPv4 format (nnn.nnn.nnn.nnn) or IPv6 format 
(hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh). 


P roti v ci7o m 3\/ alcfi no i i corl fn r ci innot co^rrhoc P tr\ t"o r tho ID 
rlcllA blZ.tr llldy dlbU Uc UbcU IUI bUUIIcL bcdILIIcb. EIILcl LI lcr lr 

address/prefix size. Example: 192.168.1.1/22 or 2001:db8::/48 


Dport 


Destination port of flow. Enter a value between 0 and 65535. 


Proto 


The IP protocol number used in the flow. 


Vlan 


The virtual LAN identifier 0 to 4,095. 


Af 


Address family of packets IPv4 or IPv6. 


Swap 


When keyword is included, this allows match of IP address being 
searched for in either source address or destination address fields 
of flow record. It also provides the same function for source and 
destination port numbers. 


rtt 


When keyword is included, only flows with a round-trip time 
greater than the value entered in microseconds will be shown. 
Round-trip time is the average time of the initial two responses in 
a session. 

Example: rtt : 10 00 00 0 will show all flows with a RTT greater 
than 1 second. 
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The following table lists the common BPF search parameters in a packet search. The search 
BPF Search elements can be listed in any order. The information below and additional information on BPF 

searches may be found at http://www.tcpdump.org. The format for the BPF search parameters is 
bpf : "search string". The bpf search parameter may be combined with the common 
search parameters. The format for all BPF elements is: 

[parameter] : [value] 



Table 3. BPF search parameters 



Parameter 


Description 


dst host 


True if the IPv4/v6 destination address field of the packet 
matches. Value is in standard IPv4 and v6 notation (i.e., 
192.168.1.1 and 2001:db8:aaaa:bbbb:cccc:dddd:eeee:aaaa). 


src host 


True if the IPv4/v6 source address field of the packet. Value 
is in standard IPv4 and v6 notation (i.e., 192.168.1.1 and 
2001:db8:aaaa:bbbb:cccc:dddd:eeee:aaaa). 


host 


True if either the IPv4/v6 source or destination address of 
the packet is host. Value is in standard IPv4 and v6 notation 
(i.e., 192.168.1.1 and 

2001:db8:aaaa:bbbb:cccc:dddd:eeee:aaaa). 


ether dst 


True if the Ethernet destination address matches the value 
given in numeric format. Value can be hex string or colon 
delimited hex string (i.e., 0025b3a74382 or 
00:25:b3:a7:43:82). 


ether src 


True if the Ethernet source address matches the value given 
in numeric format. Value can be hex string or colon delimited 
hex string (i.e., 0025b3a74382 or 00:25:b3:a7:43:82). 


ether host 


True if the Ethernet destination or source address matches 
the value given in numeric format. Value can be hex string or 
colon delimited hex string (i.e., 0025b3a74382 or 
00:25:b3:a7:43:82). 


dst net 


True if the IPv4/v6 destination address of the packet matches 
the network number provided. IPv4 network number can be 
written as a dotted quad (e.g., 192.168.1.0), dotted triple 
(e.g., 192.168.1), dotted pair (e.g, 172.16), or single number 
(e.g., 10); the netmask is 255.255.255.255 for a dotted quad 
(which means that it's really a host match), 255.255.255.0 for 
a dotted triple, 255.255.0.0 for a dotted pair, or 255.0.0.0 for 
a single number. An IPv6 network number must be written 
out fully; the netmask is ff:ff:ff:ff:ff:ff:ff:ff, so IPv6 "network" 
matches are really always host matches. 
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Parameter 


Description 


src net 


True if the IPv4/v6 source address of the packet matches the 
network number provided. See dst net description for 
format. 


net 


True if the IPv4/v6 source address of the packet matches the 
network number provided. See dst net description for 
format. 


net net mask netmask 


True if the IPv4 address matches net with the specific 
netmask. May be qualified with src or dst. Note that this 
syntax is not valid for IPv6 net. 


net 


True if the IPv4/v6 address matches network with a netmask 
of len bits wide. May be qualified with src or dst. Format is 
network/len. 


dst port 


True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and 
has a destination port value that matches given value. The 
port can be a number or a standard protocol name defined 
by http://www.iana.org. If a name is used, both the port 
number and protocol are checked. If a number or ambiguous 
name is used, only the port number is checked (e.g., dst port 
513 will print both tcp/login traffic and udp/who traffic, and 
port domain will print both tcp/domain and udp/domain 
traffic). Any of the port or port range expressions can be 
prepended with the keywords, tcp or udp (i.e., tcp dst port 
25, tcp port 25, tcp dst portrange 5-25). 


src port 


True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and 
has a source port value that matches given value. See dst 
port description for format. 


port 


True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and 
has a source or destination port value that matches given 
value. See dst port description for format. 


dst portrange 


True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and 
has a destination port value between portl-port2 values. 
Format is portl-port2 (i.e., dst portrange 5-25). Portl and 
port2 are interpreted in the same fashion as the port 
parameter for port. 


src portrange 


True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and 
has a source port value between portl and port2. Format is 
portl-port2 (i.e., src portrange 5-25). Portl and port2 are 
interpreted in the same fashion as the port parameter for 
port. 
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Parameter 


Description 


portrange 


True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and 
has a destination or source port value between portl and 
port!. Format is portl-port2 (i.e., portrange 5-25). Portl and 
porf2 are interpreted in the same fashion as the port 
parameter tot pon. 


less 


True if the packet has a length less than or equal to given 
length value. 


greater 


True if the packet has a length greater than or equal to given 
length value. 


ip proto 


True if the packet is an IPv4 packet of given protocol type. 
Protocol type can be a number or one of the names icmp, 
icmp6, igmp, igrp, pirn, ah, esp, vrrp, udp, or rep. Note that 
the identifiers tcp, udp, and icmp must be escaped via 
backslash (\), (i.e., ip proto \tcp, ip proto igmp, ip proto 4). 
These identifiers can be used without the ip proto key word 
(i.e., bpf:"udp"). 


ip6 proto 


True if the packet is an IPv6 packet of given protocol type. 


ip6 protochain 


True if the packet is IPv6 packet, and contains protocol 
header with given protocol type in its protocol header chain. 

For example: "ip6 protochain 6" 


Matches any IPv6 packet with TCP protocol header in the 
protocol header chain. The packet may contain, for example, 
authentication header, routing header, or hop-by-hop option 
header, between IPv6 header and TCP header. This search is 
complex and can be somewhat slow. 


ip protochain 


Equivalent to ip6 protochain protocol, but this is for IPv4. 


ether broadcast 


True if the packet is an Ethernet broadcast packet. The ether 

1/ o\/\a//"i rri ic nntinnal 
l\cy WUi U lb U|JLIUIldl. 


ether multicast 


True if the packet is an Ethernet multicast packet. The ether 
keyword is optional. This is shorthand for "ether[0] & 1 != 0" 


ip multicast 


True if the packet is an IPv4 multicast packet. 


ip6 multicast 


True if the packet is an IPv6 multicast packet. 


ether proto 


True if the packet is of ether type protocol given. Protocol 
can be a number or one of the names ip, ip6, arp, rarp, atalk, 
aarp, decnet, sea, lat, mopdl, moprc, iso, stp, ipx, or netbeui. 
Note these name identifiers are also keywords and must be 
escaped via backslash (\) (i.e., "ether proto \arp"). 
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Parameter 


Description 


vlan 


True if the packet is an IEEE 802. 1Q VLAN packet. If a vlanjd 
is specified, then only true if the packet has the specified 
vlanjd. Note that the first vlan keyword encountered in 
expression changes the decoding offsets for the remainder of 
expression on the assumption that the packet is a VLAN 
packet. The vlan [vlanjd] expression may be used more than 
once, to filter on VLAN hierarchies. Each use of the vlan 
vlanjd] expression increments the filter offsets by 4. 

For example: "vlan 100 && vlan 200" 

filters on VLAN 200 encapsulated within VLAN 100, and 

"vlan RiRi vlan 100 RiRi in" 

v/Lf// LX LX Ir/Lf// *J\J\J LX LX IL/ 

filters IPv4 protocols encapsulated in VLAN 300 encapsulated 
within any higher order VLAN. 


mpls 


True if the packet is an MPLS packet. If a label_num is 
specified, only true if the packet has the specified label_num. 
Note that the first mpls keyword encountered changes the 
decoding offsets for the remainder of expression assuming 
the packet is a MPLS-encapsulated IP packet. The mpls 
[label_num] expression may be used more than once to filter 
on MPLS hierarchies. Each use of the mpls expression 
increments the filter offsets by 4. 

For example: "mpls 100000 && mpls 1024" 

filters packets with an outer label of 100000 and an inner 
label of 1024, and 

"moh && mok 1024 && host 192 9 200 1" 

1 1 1 Lf 1 J LX LX 1 1 ll/IJ -L \J£- *T LX LX 1/UJL -L -/ £. , _/ , £. L/ L/. -L 

filters packets to or from 192.9.200.1 with an inner label of 
1024 and any outer label. 


pppoed 


True if the packet is a PPP-over-Ethernet Discovery packet 
(Ethernet type 0x8863). 


pppoes 


True if the packet is a PPP-over-Ethernet Session packet 
(Ethernet type 0x8864). Note that the first pppoes keyword 
encountered changes the decoding offsets for the remainder 
of expression assuming the packet is a PPPoE session packet. 

For example: 

"pppoes && ip" 

filters IPv4 protocols encapsulated in PPPoE. 
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Parameter 


Description 


iso proto 


True if the packet is an OSI packet of protocol-type protocol. 
Protocol can be a number or one of the names clnp, esis, or 
isis. 


strict 


True if the search parameters will not look across all layers of 
vlan and mpls encapsulated packets. 

For example: 

"bpf:"upd" strict=true" 

will only match IP packets with UDP traffic and no vlan or 
mpls tags and will not match packets with a vlan or mpls tag 
and udp traffic in the IP layer. 



The BPF parameters above may be combined using the following operators: 

• Negation (! or not). 

• Concatenation (&& or and). 

• Alternation ( 1 1 or or). 



Negation has highest precedence. Alternation and concatenation have equal precedence and 
associate left to right. 

If an identifier is given without a keyword, the most recent keyword is assumed. 
For example: 

bpf:"not host 192.1.1.1 and 192.1.1.2" 
is short for 

bpf:"not host 192.1.1.1 and host 192.1.1.2" 
which should not be confused with 
bpf:"not ( host 192.1.1.1 or 192.1.1.2)" 

To access data inside the packet at a certain byte offset, use the following syntax: 

proto [ expr : size ] relop (value) 

Proto is one of ether, ppp, link, ip, arp, rarp, top, udp, icmp, ip6, and indicates the protocol layer 
for the index operation. Note that tcp, udp and other upper-layer protocol types only apply to 
IPv4, not IPv6 at this time. The byte offset, relative to the indicated protocol layer, is given by 
expr. Size is optional and indicates the number of bytes in the field of interest; possible values 
are: one, two, or four, where one is the default. 

The relop is one of the following: >, <, >=, <=, =, ! = 

Some offsets and field values may be expressed as names rather than as numeric values. The 
following protocol header field offsets are available: icmptype (ICMP type field), icmpcode (ICMP 
code field), and tcpflags (TCP flags field). 

The following ICMP type field values are available: icmp-echoreply, icmp-unreach, icmp- 
sourcequench, icmp-redirect, icmp-echo, icmp-routeradvert, icmp-routersolicit, icmp-timxceed, 
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icmp-paramprob, icmp-tstamp, icmp-tstampreply, icmp-ireq, icmp-ireqreply, icmp-maskreq, 
icmp-maskreply. 

The following TCP flags field values are available: tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp- 
urg. 

Example: 

bpf : "tcp [tcpf lags] = (tcp-syn)" 



PGREP Search The PG REP search parameter is a string of any characters. The "." (period or dot) may be used as 

Parameters a wildcard to match any character in a position. The following characters must be escaped using 

the "\" (slash) symbol if they are included in a pattern: A [.${*(\+) | ?<> 

Example: 

pgrep : "john . smith" matches: johnasmith, johnbsmith, 
johncsmith, etc. 

pgrep: "john\ . smith" matches: john. smith 



The PG REP search will allow full regex pattern match capabilities, which are out of the scope of 
this manual. If complex pattern searches are desired, nPulse recommends that you contact 
support or use external references for writing regex pattern searches. 



Local Time 
Checkbox 



Checking this box allows you to enter and search local time values rather than GMT. 



h mmER 



FLOWS Fittet CiPTUBE 



Packet Search 



Expert Mode 



Form Fields 



Local time 

□ 



Figure 3. Local time checkbox 



Saving Searches The Save button will save the current search parameters shown in the search bar. To save a 

search, the label : [name] option must be included. The search will be saved under the name 
shown after the label option. Saved and historical searches can be viewed on the Packet Search 
screen. To access a saved search, click on the arrow to the right of the search bar and select the 
saved search. Your past searches are displayed in the Historical Searches section of this same 
page. To edit your Saved Searches list, click on Saved Searches under the Account menu. 



Search Button The Search button executes the search string you entered in the search box. 
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Figure 4. Searchbutton 

Note: You must enter at least one value in the search field. If you do not enter a start or end 
time, HammerHead/CPX will start the search at the current time, going back to the 
default search range (see Table 12 ). 



Predefined Filters HammerHead/CPX provides a set of predefined filters to search for flow and packet data. To 

access the predefined filters, click on the arrow to the right of the search bar and scroll to select 
the desired filter. 



The following tables list the available predefined flow filters in Table 4 and packet search filters in 
Table 5. 



Table 4. 


HammerHead/CPX predefined search filters 


Predefined flow search 
filters 


Description 


Proto: ICMP 


Search for ICMP (Internet Control Message Protocol) in the 
IP header protocol field 


Proto: IGMP 


Search for IGMP (Internet Group Management Protocol) in 
the IP header protocol field 


Proto: TCP 


Search for TCP (Transmission Control Protocol) in the IP 
header protocol field 


Proto: IGRP 


Search for IGRP (Interior Gateway Routing Protocol) in the IP 
header protocol field 


Proto: UDP 


Search for UDP (User Datagram Protocol) in the IP header 
protocol field 


Proto: GRE 


Search for GRE (Generic Route Encapsulation) in the IP 
header protocol field 


Proto: ESP 


Search for ESP (Encapsulating Security Payload) in the IP 
header protocol field 


Proto: AH 


Search for AH (Authentication Header) in the IP header 
protocol field 


Proto: SKIP 


Search for SKIP (Simple Key management for Internet 
Protocol) in the IP header protocol field 


Proto: EIGRP 


Search for EIGRP (Enhanced Interior Gateway Routing 
Protocol) in the IP header protocol field 


Proto: OSPF 


Search for OSPF (Open Shortest Path First) in the IP header 
protocol field 
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Predefined flow search 
filters 


Description 


Proto: L2TP 


Search for L2TP (Layer 2 Tunnel Protocol) in the IP header 
protocol field 


Dest Port <nn> 


Search for destination port <nn> in the TCP/UDP header 
destination port field 


Table5. 


HammerHead/CPX predefined BPF filters 


Predefined BPF search 
filters 


Description 


HTTP GET 


bpf:"port 80 and tcp[((tcp[12:l] & OxfO) » 2):4] = 
0x47455420" 


SSH 


bpf:"tcp[(tcp[12]»2):4] = 0x5353482D && 
(tcp[((tcp[12]»2)+4):2] = 0x312E || tcp[((tcp[12]»2)+4):2] 
= 0x322E)" 


FTP 


bpf:"tcp[(tcp[12]»2):4] =0x3232302d || tcp[(tcp[12]»2):4] 
= 0x32323020" 


imap exploit 


bpf:"tcp[(tcp[12]»2):4] =0x3232302d || tcp[(tcp[12]»2):4] 
= 0x32323020" 


telnet 


bpf:"(tcp[(tcp[12]»2):2] > Oxfffa) && (tcp[(tcp[12]»2):2] < 
Oxffff)" 


SYN with data 


bpt: tcp[lij & Oxtt = 2 && (ip[2:2J - ((ip[0J & OxOt) 4) - 
((tcp[12] & OxfO)/ 4)) !=0" 


smb 


bpf:"dst port 139 && tcp[13:l] & 18 = 2" 


sip==dip 


bpf:"ip[12:4] = ip[16:4]" 


IP, not IPv4 


bpf:"(ip[01]&0x0f) !=40" 


udp port scan 


bpf:"udp && src port = dst port" 


Teardrop attack 


bpf:"udp && (ip[6:l] & 0x20 != 0)" 


udp packets:bad length 


bpf:"(udp[4:2] < 0) | | (udp[4:2] > 1500)" 
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5. Flow Search View 



Flow Search View 



The Flow Search view displays the flows that match your search. Click on a column heading to 
sort the displayed flows. You can also refine your flow search by adding additional search 
parameters (listed below) in the search bar and clicking the Search button or clicking on an 
individual flow item in the listed flows such as an IP address or port. 



H miTIERHERC 
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Figure 5. Search tab with flow search details 

The Flow Search screen includes the flow parameters described in flow search parameters 
section, plus the columns described in the following table. 



Table 6. Flow Search display 



Parameter 


Description 


selected 


Click the check box to select flows and retrieve all packets for multiple 
flows using the Merge Flows to PCAP button. 


spackets 


Source packets. The number of packets sent by the source address. 


dpackets 


Destination packets. The number of packets sent by the destination 
address. 


Pivot2Pcap 


Lets you view the packets for the selected flow. See Packet Search 
view below. To view packets for multiple flows, select the flows by 
clicking on the check box in the select column for each flow to be 
viewed, and click on the Merge Flows to PCAP button. 
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Parameter 


Description 


stime, etime, saddr, 
sport, daddr, dport, 
proto, af, vlan 


See flow search parameters, Table 2. 



Merge Flows to On the Flow Search view select multiple flows using the selected check box next to each flow. 

PCAP Click the Merge Flows to PCAP button to view all packets matching selected flows. Once search 

is started click the View Search Progress link to view the resulting PCAP file. 



HammerHead/CPX User Guide 



6. Packet Search View 



31 



6. Packet Search View 

Packet Search View ^ n tne ^ ow ^ earcn screen, click on Packets in the Pivot2Pcap column. This will take you to the 



Expert Mode 



Packet Search screen and correctly prepopulate the search string for the flow requested. To 
execute the search, click the Search button. The search parameters may be modified before 
executing the search. The Packet Search view may also be selected by clicking on the Search drop- 
down menu and selecting Packets. 

In expert mode, all packet search, BPF, and PGREP parameters are entered directly on the search 
line as shown in Section 4 . 

Packet Search When in the Packet Search, view click on the Form Fields tab to select the alternate form method 

Form Fields Mode of data input. 



Viewing Search 
Results 
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Figure 6. Packet Search view 

The start time (stime) and end time (etime) for the search can be entered in local time using the 
drop-down calendar and time menus. 

The PGREP and BPF parameters are entered as shown in Section 4. 

The source parameter allows filtering on an existing pcapid from a previous search. 

The file parameter allows you to enter a file name that resulted from a Stream search. 

For information on the feed, window, limit, timeout, strict, and label parameters refer to table 1 
in Section 4. 

Once the search is complete, you can: 

1. View results. 

2. Download results. 

3. Store results. 
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Figure 7. Search History view 



View Packets Clicking on View <num> packets in the Results column will take the user to the Search Results 

Button (packet details) view. 

Download PCAP After you run a search, you can also use the Download PCAP button to download the search 

Button results to your local drive via your Web browser. 



Store PCAP After you run a search, use the Store PCAP button to save the search results to 

HammerHead/CPX storage. Stored files will be saved in the /store directory on your 
HammerHead/CPX appliance and are viewable under the Browse menu on the Web interface. 
Enter a file name with a maximum length of 128 characters and no symbols or spaces. 

Files in the /store directory are not included in the normal HammerHead/CPX capture and 
purge process, and will remain on the system until you manually delete them. 
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Search Results On the Packet Search screen, click on view <num> packets in the Results column. The Search 

View Results view will be displayed with the following sections: 

• Packet details table 

• Packet decode display 



Packet details table 



Packet decode 
display 
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Figure 8. Search Results view 

You can sort the packets by clicking the column headings. Click a packet to display the decode 
view. The Search Results view displays the packet parameters described in Table 7 below. 



Table 7. Search Results view parameters 



Parameter 


Description 


index 


Order in which the packet arrived. 


stime 


Time the packet was received. The format is yyyymmdd.hhmmss 




Where: 




• yyyy = year 




• mm = month 




• dd = day 




• hh = hour 




• mm = minute 




• ss = second 



HammerHead/CPX User Guide 



7. Search Results View 




Parameter 


Description 


hint 


Value of TCP flag field in TCP header (URG, ACK, PUSH, RST, SYN, 
FIN). 


wirelen 


Frame length, in bytes. 


saddr, sport, daddr, 
dport, eth type, proto, 


See Flow Search parameters Table 2. Note: For frames with non- 
IP traffic in payload, the source and destination address fields will 
show MAC addresses of Ethernet frame and eth type field will 
show protocol encapsulated in Ethernet frame. Source and 
destination port fields will be blank. 



The Packet Decode view at the bottom of the Search Results view features layered tabs that 
display the data for each layer within a packet. Click a tab to view that layer's data. 
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Figure 9. Search Results - Packet Decode view 



Help Menu When you are in the HammerHead/CPX GUI, help is just a click away! Select Home and Help to 

view context-sensitive help for the current screen. 
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Queued Searches Selecting the Status > Search Queue will show queued searches. This section allows viewing of 
View queued searches initiated by all users. This view does not show status of streaming searches 

performed using the stream search button on the packet search form fields tab or RESTful API. 

These searches are not queued and up to five are executed concurrently. 
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Figure 10. Queued Searches view 



Cancel Selected 

Button Cancels selected searches. Use your mouse to choose searches to cancel. 

Refresh Button Refreshes current view. 
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9. Active Searches 



Active Searches 
View 



Selecting Search > Active Searches will show the Active Searches. This screen shows the PCAP ID 
of the currently running search. 
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Figure 11. Active Searches View 



Clicking on the "Current PCAP Get [ID]" link will take you to the search status page to see the 
status of the currently running search. 
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10. Browse Capture Files 

Browse Overview This section describes your HammerHead/CPX's file browse and retrieval features. The Browse 

screen allows you to locate and download stored capture files from your HammerHead/CPX's file 
system. 

To use, select Browse from the Search menu. The following figure shows the Browse screen. 
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Figure 12. Browse screen 



Browse Files List The Browse screen displays a list of capture files. Each file is identified by date, time, and file 
name. 

You can perform the following three actions on the capture files: 

• Download: Click Download to save a copy of the capture file to local storage. 

• Delete: Click Delete to erase the capture file. 

• Summary: Click View Packets to examine the contents of the capture file. 
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11. Trends View 

Trends Overview The Trends view is located under the Status menu and provides the following graphical views of 
the statistics collected for the past 24 hours, week, month, or year. The current graph view is 
refreshed every 60 seconds. 

Interfaces Graph of bandwidth per physical interface. Ports are labeled hhx where x is the physical port 

number 0-3. 

Data shown on this graph is total bits per second (bps) per interface. 

Text data shown on bottom of this graph for each interface is: 

• Current bps rate. 

• Average bits per second rate over the chosen time period. 

• Max bits per second rate seen during the chosen time period. 

Layer 1 Graph of layer 1 statistics per physical interface. Ports are labeled hhx where x is the port physical 

number 0-3. 

Statistics shown for each interface in graph and text format are: 

• Received frames per second (fps). 

• Error fps. A frame is an error frame if it is small, giant undersize, large or hard-sliced, or if 
there is a CRC error or a code violation. 

• Dropped fps. Dropped frames indicate that the memory buffer for that interface was full 
and the frames could not be saved in memory. 

Layer 2 Graph of traffic by frame type at layer 2 for all received traffic. 

Statistics shown for layer 2 in graph and text format are: 

• Total IPv4 fps. This value shows total fps of frames with IPv4 type set (0x0800). 

• Total IPv6 fps. This value shows total fps of frames with IPv6 type set (0x86DD). 

• Total vlan tagged fps. This value shows total fps of frames with vlan 802. 1Q type set 
(0x8100). 

• Total gingfps. This value shows total fps of frames with qinq type set (0x9100). These 
are frames with nested (more than one) vlan tags. 

• Total mplsfps. This value shows total fps of frames with MPLS unicast or multicast type 
set (0x8847 or 0x8848). 

• Total arpfps. This value shows total fps of frames with arp type set (0x0806). 

• Total multifps. This value shows total fps with Ethernet multicast addresses. These are 
Ethernet frames with a value of 1 in the least-significant bit of the first octet of the 
destination address. 

• Total other fps. This value shows total for all other frame types not shown above. 
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Layer 3 Graph of traffic by packet type at layer 3 for all received traffic. 

Statistics shown for packets at layer 3 in graph and text format are: 

• IPv4 packets per second (pps). 

• IPv6 pps. 

• Error pps. This value shows all packets received with checksum errors per second. 

• Fragment pps. This value shows all packets received per second with fragmentation flag 
set in IPv4 or fragment extension header in IPv6. 

• Other pps. This value shows all other packets received per second. 

Layer 4 Graph of packet type at layer 4 for all received traffic. 

Statistics shown for all packets at layer 4 are: 

• Total pps. This value shows pps of all traffic classified as layer 4 by IPv4 and IPv6 
protocols. 

• TCP pps. This value shows pps of all TCP packets. 

• UDP pps. This value shows pps of all UPD packets. 

• SCTP pps. This value shows pps of all SCTP packets. 

• ICMP pps. This value shows pps of all ICMP packets. 

• IGMP pps. This value shows pps of all IGMP packets. 

• G RE pps. This value shows pps of all GRE packets. 

• Reset pps. This value shows pps for all TCP packets with reset flag set. 

Bursts Graph of traffic data rate deltas at 20ms intervals. 

Graph shows delta in bps between each sub second sample. 

Burst statistics shown in text format at bottom of graph for each hardware interface are: 

• Current bps delta. Shows last delta value. 

• Average bps delta. Shows average bps delta value over chosen time period. 

• Max bps delta. Shows maximum bps delta value over chosen time period. 
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G raph of flow records generated per second. 

Flow records are generated for internal index and, if enabled, will also be exported to remote 
collectors configured under systems tab. 

Graph of critical system interface components and temperature in Fahrenheit. 
Statistics shown are: 

• FPGA. This value shows the temperature of the FPGA chip on interface adapter. 

• SFPx. These values show the temperatures of individual interface SFP adapters. X equals 
value of interface (i.e., SFPO, SFP1, etc.). 

Graph of the system load and the percent of system resources in use over time. System load 
should not be above 24 for normal operation. Values of 12 and less are normal. 
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System Settings Your HammerHead/CPX's configuration parameters are available through the System Settings 
Overview menu. 




Syslog 
SNMP 
NTP 

NetFlcw VS Expcn 

Search 

Users 

External LDAP 

IPMI 

Firewall 

Rebccl 

Advanced 

Figure 13. System Settings menu 

The System Settings are described in the following sections. 
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General 

Information 

Overview 



The following figure shows the General Information screen: 

hwi mmeR 

System Settings 



FLOW £ PACKET CAPTURE 



General Information 

System Name: myhostname 



System IP: 
Netmask: 
Gateway: 
DNS: 

System Password: 
Confirm Password: 



255.255.255.0 



1.1.1.2 



1.1.1.1 



Ul Timeout (s): 1200 



Figure 14. General Information screen 



General The following table describes the General Information parameters. 

Information 

Parameters Table 8. General Information parameters 



Parameter 


Description 


System Name 


The unique identifier for your HammerHead/CPX appliance. 


System IP 


Your HammerHead/CPX's IP address. Enter this value in the 
format nnn.nnn.nnn.nnn 


Netmask 


The network mask. 


Gateway 


The IP address for the network gateway. 


DNS 


The IP address for the DNS server. 


System Password 


Your HammerHead/CPX login password. 


Confirm Password 


Your HammerHead/CPX login password verification box. 


Ul Timeout 


The session limit, in seconds, before your HammerHead/CPX user 
interface times out. You will need to log in again when this limit 
has been exceeded. 
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Syslog The following figure shows the Syslog Configuration screen: 

Configuration 

Overview mfllERHERD 

System Settings 



FLOW & PACKEI Caphure 



Syslog Configuration 



Protocol: udp 



Targets: logs. com:5264 



For multiple syslog targets, please use a comma-separated list of values in the format of serverport. 
This will be processed accordingly. 



Figure 15. Syslog Configuration screen 



Syslog The following table describes the Syslog Configuration parameters: 

Configuration 

Parameters Table 9. Syslog Configuration parameters 



Parameter 


Description 


Protocol 


Protocol to be used for syslog message transport, can be UDP or TCP. 


Targets 


IP addresses of syslog servers in format address : port For multiple 

destination servers, use a comma to delimit entries. 

For example: 192.168.1.1:514, 192.168.1.2:8000 


Level 


Level of syslog alerts to be sent to the syslog server. Levels are 
Emergency, Alert, Critical, Error, Warning, Notice, Info, and Debug. The 
default level is Alert. 

Note: Lowering the log alert level to Info or Debug will generate a large 
amount of syslog traffic and may impact system performance. 



Click Save to store your settings, or Cancel to ignore your changes return to the previous settings. 



Note: The syslog settings apply to the export of all syslog messages at the configured level. All 
HammerHead/CPX-specific syslog messages are logged as facility Local5. For more 
details on syslog settings and on configuring the syslog settings using the CLI, please see 
Section 36. Frequently Asked Questions. 
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SNMP 

Configuration 
Overview 



The following figure shows the SNMP Configuration screen: 



h mmER 



FLOWS PACKET CAPTURE 



System Settings 





SNMP Configuration 






Traps Enabled: g 




Community String: 


nPulse 




System Contact: 


Support @ nPulse 




System Location: 


375 Four Leaf Lane, Suite 204, Ch 




System Description: 


HH3.3 Capture Appliance 




SNMP Trap Target(s): 


10.1.1.1:161 
















For multiple SNMP trap targets, please use a comma-separated list of values in the format of serverport 
This will be processed accordingly. 



Figure 16. SNMP Configuration screen 



SNMP 

Configuration 
Parameters 



The following table describes the SNMP Configuration parameters: 
Table 10. SNMP Configuration parameters 



Pa ra meter 


Description 


Community String 


The SNMP community string. Used as a user ID or password for 
basic message authentication. 


System Contact 


The system contact (text string). 


System Location 


The system location (text string). 


System Description 


The system description (text string). 


SNMP Trap Target 


The IP address of the SNMP trap receiver. 


Traps Enabled 


When this box is checked, SNMP traps are enabled. 



Click Save to store your settings or Cancel to ignore your changes and return to the previous 
settings. 
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SNMP MIBS Your HammerHead/CPX supports the following MIBs, which can be polled for status: 

Support . nPu | se M!B 

• nPulse HammerHead-MIB 

• SNMPv2-MIB 

• DISMAN-EVE NT-MI B 

• IF-MIB 

• RFC1213-MIB 

• IP-MIB 

• IP-FORWARD-MIB 

• TCP-MIB 

• UDP-MIB 

• HOST-RESOURCES-MIB 
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NTP Configuration The NTP Configuration screen lets you set NTP (network time protocol) clock sources. NTP servers 
Overview can be used to synchronize your HammerHead/CPX's system clock. 

The following figure shows the NTP Configuration screen: 

n^mmERHEnD 

FLOW* PAtK£I CAPTURE 



NTP Configuration 




For multiple NTP sources, please use a comma-separated list of values in the format of serverport 
This will be processed accordingly. 

Figure 17. NTP Configuration screen 



NTP Clock Sources Enter the IP address of one or more NTP servers. For multiple servers, use a comma to delimit 
each entry. For example: 

192.168.1.1, 192.168.1.2 

If an external 1PPS timing input is also connected, NTP will be used for the year, month, day, 
hour, minute, and second portion of the system clock. 1PPS will be used to synchronize sub- 
second portions of the clock. 

Click Save to store your settings or Cancel to ignore your changes and return to the previous 
settings. 
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NetFlow v9 Export This section enables you to export NetFlow v9 records to remote collectors. When enabled, 



Overview 



inbound packets for all HammerHead/CPX monitor ports are analyzed and records are created for 
each flow on a 1:1 basis. 

The following figure shows the NetFlow v9 Export screen: 
M«| fniHERHERD 



/l packei capture 



NetFlow V9 Export 



Export NetFlow?: O 



NetFlow collectorCs): 



For multiple flow collectors, please use a comma-separated list of values in the format of serve rport 
All flow export is done using UDP. 

Figure 18. NetFlow v9 Export screen 



NetFlow v9 Export 
Parameters 



The following table describes the NetFlow v9 Export parameters: 
Table 11. NetFlow v9 Export Parameters 



Parameter 


Description 


Export NetFlow 


Checked this to enable flow export. 


NetFlow collector(s) 


The IP address of one or more remote NetFlow collectors in the 
format {server address:port #}. 

For multiple destination servers, use a comma to delimit each 
entry. For example, 192.168.1.1:9996, 192.168.1.2:9996. 

Records are exported using a UDP connection. The remote 
NetFlow collectors must support records in NetFlow v9 format. 



Click Save to store your settings or Cancel to ignore your changes and return to the previous 
settings. 
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18. Search Configuration Settings 



Search This section describes your HammerHead/CPX's search configuration parameters. This screen lets 

Configuration you set the HammerHead/CPX search parameters as described in the following sections. 

Overview 

The following figure shows the Search Configuration screen: 

FLOW 1 FACIEI O.IWSC 

System Settings 



Search 



10 Priority- 


idle 


T 


Default Search Range: 


300 




Flow Search Timeout: 


300 


1 


Packet Search Timeout: 


300 





Figure 19. Search Configuration screen 



Search The following table describes the Search Configuration parameters: 

Configuration 

Parameters Table 12. Search Configuration parameters 



Parameters 


Description 


10 Priority 


Sets the priority for packet search and retrieval from the storage 
array. The choices include: 

• idle: gives priority to packet recording and will only access the 
array during idle time. This is the default setting. 

• best effort: provides equal weighting to packet recording 
access and packet search access. This setting may cause loss of 
packets in the capture process if the system is running at a 
high load. 

• real time: provides real time packet search access. This setting 
may cause loss of packets in the capture process if the system 
is running at a high load. 


Default Search Range 


Sets the default range of time, in seconds. Used when only the 
start time (stime) or end time (etime) is specified, or when no 
time is specified in a flow or packet search. 
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Parameters 


Description 


Flow Search Timeout 


Sets default timeout, in seconds, for the system to wait for flow 
search to return results. If this timer expires, the system cancels 
the search. 

If your searches are timing out, narrow the search parameters or 
use the timeout : { seconds } parameter to extend an 
individual search. 


Packet Search Timeout 


Sets the default timeout, in seconds, for packet search to return 
results. If this timer expires, the system cancels the search. 

If your searches are timing out, narrow the search parameters or 
use the timeout : { seconds } parameter to extend an 
individual search. 
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Users Overview 



This section describes your HammerHead/CPX's user management features. This screen lets you 
administer user accounts as described in the following sections. 

The following figure shows the Users screen: 



n 

System Settings 



Home Search Status Account 



FLDWiPACMTCAPTURl 



Users Add User 







name 


roles 


cuc_analyst 


uirj=cuc_analyst.ou=penpie,dc=npulsetech,fJc=com 


anaiystgroup 


hammerhead 


uid-hammerhead.ou-people.dc-npLileetedi.'jc-com 


admingmup .anaiystgroup 


pjatest 


uid=p]atG£tou=people.dc=npulsetech.dc=com 


anaiystgroup 



Figure 20. Users screen 



System Settings 

General 
Syslog 
SNMP 
NTP 

NetFlow V9 Export 
Search 

External LDAP 
IPMI 
Firewall 
Reboot 
Advanced 




The Users tab of the Users settings screen lists the current HammerHead/CPX users. The 
following information is listed for each user: 

• UID 

• Name 

• Roles 

To remove a user account, select the user's name in the list and click Delete Selected. 
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Add User The Add User tab allows you to create new user accounts. The following figure shows the Add 

User tab: 

h mmereHGRD 

FLOW S PACKET CAPTURE 

Users || fc dd Usej [ 

Name: 

Password: 

Analyst: 
Admin: 



Add l Cancel 



Figure 21. Add User tab 

The following table describes the Add User parameters: 



Table 13. Add User parameters 



Name field 


Description 


Name 


The name for the new user account. 


Password 


The password used to log in with the user name for the account. 


Analyst 


Assigns user as an Analyst. Analysts can perform flow and packet 
searches, view capture status, and trend graphs but can only view 
saved searches, queued searches, and change their own 
password. To allow a user access to all functions, check both the 
Analyst and Admin boxes. 


Admin 


Assigns user as an Admin. Admin users only have access to all 
system settings but cannot view trends or searches. To allow a 
user access to all functions, check both the Analyst and Admin 
boxes. 



Click Add to create the new user or Cancel to clear the form without adding a user. 
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2 0. External LDAP Settings 



External LDAP This screen allows you to configure an external LDAP server for user account management. The 

Overview following figure shows the External LDAP screen: 

h mmeR herd 

plows packet Capture 

External LDAP 

Use External LDAP: O 

Host: 



Port 



Object PK: 



Base DN: 



Assigned Role 



Figure 22. External LDAP screen 



External LDAP The following table describes the External LDAP parameters: 

Parameters 

Table 14. External LDAP parameters 



LDAP parameter 


Description 


User External LDAP 


Check this box to enable authentication against an external LDAP 
server. 


Host 


IP address for the LDAP host. This should be in the format 
ldap://{ip address} (i.e. Idap://192.168.1.1). 


Port 


The TCP port number on the LDAP host for the LDAP connection. 


Object PK 


User ID for logging into the LDAP server. Enter the attribute that 
should be assigned to the login name (i.e., cn). 


Base DN 


The top-level DN (distinguished name) for the LDAP directory 
tree. The attributes listed here will be combined with the 
attribute listed in Object PK to form the distinguished name (dn) 
of the entry. 


Assigned Role 


The user's assigned role. A comma separated list. Values are 
Analystgroup and/or Admingroup. This role will be assigned to all 
users authenticated through external LDAP. All users 
authenticated through external LDAP will have the same role. 
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The Object PK entry will be combined with the user's login name and base dn entry to form the 
distinguished name (dn) for the LDAP request. For example, if a user logs in as John Doe and the 
entry Object PK is cn and the entry in Base DN is dc=nPulse, dc=lab, dc=network, the complete dn 
of the LDAP connection string will be: 

cn=john doe, dc=nPulse, dc=lab, dc=network 
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IPMI Configuration This section describes the settings for the Intelligent Platform Management Interface (IPMI), 
Overview which is used to remotely administrate the appliance. 

The following figure shows the IPMI Configuration screen: 



h mmeR 

FLOW i PACKET CAPTURE 



IPMI Configuration 

IPMI IP: 192.168.2.3 



IPMINetmask: 255.255.255.0 



IPMI Gateway: 192.16B.2.1 




Figure 23. IPMI Configuration screen 



IPMI Configuration The following table describes the configuration parameters for the IPMI interface. 
Parameters 

Table 15. IPMI Configuration parameters 



Parameter 


Description 


IMPI IP 


The IP address for the IPMI management interface. 


IPMI Netmask 


The network mask for the IPMI management network. 


IPMI Gateway 


The IP address for the IPMI management network gateway. 



For each of the IPMI parameters, you can enter the address in the format nnn.nnn.nnn.nnn or 
enter "dhcp" to use dynamic host addressing. 



Click Save to store your settings or Cancel to ignore your changes and return to the previous 
settings. 
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Firewall 

Configuration 

Overview 



This section describes the Firewall Configuration screen. The following figure shows the Firewall 
Configuration screen: 

htai mmERHEnD 

FLOW & PACKET CAPTURE 



Firewall Configuration 



SNMP: □ 
Puppet: □ 
Nagios: D 



Figure 24. Firewall Configuration screen 



Firewall The Firewall Configuration screen provides access to your HammerHead/CPX appliance through 

Configuration the interfaces described in the following table. 

Parameters 

Table 16. Firewall Configuration parameters 



Parameter 


Description 


SNMP 


When checked, provides access through SNMP UDP port 161. 


Puppet 


When checked, provides access through Puppet TCP port 8140. 


Nagios 


When checked, provides access through Nagios TCP port 5667. 



Unchecking a port denies access to that port and its services. 



Click Save to store your settings or Cancel to ignore your changes and return to the previous 
settings. 
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23. Reboot 

Reboot Overview This section describes the reboot function available through the System Settings menu. Reboot 
allows you to remotely reboot your HammerHead/CPX appliance through the Web Ul. 

The following figure shows the Reboot screen: 

h mmErcnenn 

FLOW £ PACKET CAPHJB.F. 

Reboot 

Figure 25. Reboot screen 

Click Reboot to reboot your HammerHead/CPX appliance. All current configuration values will be 
saved. A confirmation screen asks you to confirm the reboot, as shown below. 



The fsqs si https://192.16S.7.100:1443 says: I. : - 1 


Are you sure you'd like to reboot? 




OK Cancel 





Figure 26. Reboot confirmation screen 

Click OK to reboot or click Cancel to cancel without rebooting. 
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Advanced The Advanced Configuration screen provides a text view of your HammerHead/CPX's 

Configuration configuration file, including all configuration settings. You can download and save the 

Overview configuration file, or upload a new configuration file to apply. 

The following figure shows the Advanced Configuration screen: 



h mmER 

System Setting 



3D 

Ow t JACKET CAHUM 



Home Search Status Account 



Advanced Configuration 



Advanced 

Configuration 

Parameters 



cjpljie coring deslffj, nowS 


String 




c^pIjie.canfig.de&Llor.flo."i5. port 


string 


None 


cspliJ'e.cfjrf.g^xportflfjws 


string 


false 


capture config. flow.only 




false 


capture coring. rlpl 


string 


'opMi amine rhea^elctiammerti es di.ntpl 


captuie.C5n&g.timest3rnBinfl 


string 


nanosecond 


hhcaptLrreconfigflle slie 


string 


1024 


hhcaptjfe.condo.flOirt.c,fil> 






hhcaptjre.OTnfig.nlrjl 


string 


rOptfflammertveatMcfliamiTiemeB dS.ntpl 



Figure 27. Advanced Configuration screen 
The following table describes the Advanced Configuration parameter: 
Table 17. Advanced Configuration screen parameters 




Parameter 


Description 


Refresh Config button 


Updates the Advanced Configuration screen to display the latest 
HammerHead/CPX configuration settings. 


Save All Config button 


Saves the HammerHead/CPX configuration file. 


Configuration display 


Lists each of the HammerHead/CPX configuration parameters, 
including their name, type, and current value. 


Download Config link 


Downloads the configuration file to your local machine. 


Upload Config link 


Uploads a configuration file. Once the file is uploaded, restart 
your HammerHead/CPX for changes to take effect. This is done 
by using the Reboot function. 
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25. About (System Information) 



About Overview 



The About screen displays the following information about your HammerHead/CPX appliance: 

• License information 

• Version information 



Viewing License & Follow these steps to view your HammerHead/CPX's system license, serial number, and MAC 

Serial Number address information: 

Information 

1. Click About in the top menu. 

2. Select the License tab. 

The following figure shows the License screen: 



h mmER 



, PACKET ■. AM Ihl 



Home Search Status Account System Settings About 



Welcome, hammeriiei 



License Version 



name 


value 


Licensed To 


HammerHead 


□ate Issued 


Tue Now 27 13:02:21 2012 


Date Expires 


Wed Nov 2719:02:21 2013 


Hammerhead Version 


3.2 


Hammerhead Options 


PIftCap.FlowCap.FlawExp. Replay 


Hostname 


taylorHH 


Napatech Type 


NTMAINFJ1E2 


Napatech ID 


31000240304 


Napatech PBAID 


0730087001201 


Napatech Serial 


0000119661 


Napatech MAC 


00 0d CD 02 CD Cf 


Napatech FPGA Image Number 


0 


Napatech FPGA Image Type 


1 


Napatech FPGA Image Version 


11274 


Napalech FPGA Image File Name 


FPGA-20 0-922 0-44-1 0-00-1 11204-21 57. i 


S/stem Serial 


1234567890 


System MAG 


00:25:90:62:ec:9e 





Figure 28. License screen 
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Viewing Version 
Information 



To view your HammerHead/CPX's system version information: 

1. Click About in the top menu. 

2. Select the Version tab. 

The following figure shows the Version screen: 



hMf mmeR 

About 



FLOW i PACKET CAPTURE 



Home Search Status Account System Settings About 

Welcome, hammerheadjgtaylorHH 



name 


version 


hh capture 


3.3.RC1 Nov 07 2012 15:09:10 


hhchannel 


3.3.RC1 Nov 27 2012 13:01:31 


hhtimeseries 


3.3.RC1 Nov07 2012 15:09:10 


hhstats 


3.3.RC1 Nov 07 201215:09:10 


hhflowcache 


3.3.RC1 Nov 07 2012 15:09:10 


hhmom 


3.3.RC1 Nov 07 2012 15:09:10 


hh retrieve 


3.3.RC1 Nov07 2012 15:09:10 



Figure 29. Version screen 
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Saved Searches 
Overview 



View saved searches and search results by choosing Saved Searches from the Account menu. 



h mmeRHEr 



Home Search Status 



System Settings About 

. hammcitieddQtiHtoi'KH 



m,s j-.MStirtJi 
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MpftOHl 1SH.7J0O-.W41V iy«*m.ie*r*e.hlml 



Figure 30. Saved Searches screen 



Delete Selected 
Button 



To delete a saved search, left click on the search to highlight it and click the Delete Selected 
button. 



Refresh Button To refresh the saved searches view, click the Refresh button below the Saved Searches view. 



HammerHead/CPX User Guide 



27. Password Configuration |^1 



27. Password Configuration 



Change Password 
Overview 



A logged-in user can change their password by choosing My Password from the Account menu. 



My Password 



Search Status Account System Settings About 



Change Password 

Qia Password. 



Confirm i . : .-. ■ ; 



Figure 31. My Password screen 



Table 18. Change Password 



Parameter 


Description 


Old Password 


Enter current account password. 


New Password 


Enter new password. 


Confirm Password 


Confirm new password. 



Click the Save button to save the new password. 
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Disk Status 
Overview 



By choosing Disk from the Status menu, the user can view current RAID array, controller, and 
individual disk status. 
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Figure 32. D/'s/r Status screen 



Table 19. Controller & Disk Status Parameters 



Parameter 


Description 


ID 


RAID Controller ID number. 


Status 


Status of RAID controller. 


Battery 


Status of RAID controller battery. 


Logical Device 


Status of RAID controller logical device. Shows status of logical 
array associated with controller. 


Last Update 


Date of last firmware update to RAID controller hardware. 


Disk Count 


Number of active disks attached to this RAID controller. 
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Disk Detail View Disk Detail view shows each drive status, serial number, and location (logical array on controller 
and place in array). 





status 


serial 


location 


Present 


9WM42FWB0000C1 31 SQBB 


C0,0) 


Present 


9WM40EZA0000C1 301 774 


C0,1) 


Present 


9WM7QS490000921 1 1 V5Y 


C0.2) 


Present 


9WM7QRR9rj00Q92090CUZ 


CO. 3) 


Present 


9WM 40KFZ0 000-91 29VH 3G 


C0,4) 


Present 


9WM42S9K0000C1 31 5PRH 


CO. 5) 


Present 


9WM424MWQ00091 30ZHFY 


C0,6) 


Present 


9WM41 VL40000C1 31 7PM6 


CO. 7) 



Figure 33. Disk Detail view 
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29. Capture Status 



Capture Status 
Overview 



Choose Capture Status from the Status menu to view the Capture Status screen. This screen 
displays current status and statistics for the captured flows. 



h mmER 

■ LawiMtiircjuluii 

Capture Status 



Home Search Status Account System Settings About 

Welcome. twpwneine-MrJljtiafrrsG 



2CH302OJ 025*35 



errors 0 r.n&s 
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fin 
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Figure 34. Capture Status screen 



Capture Statistics 



The Capture Statistics graph displays the number of packets captured over time. Each feed is 
tracked with a colored line. The cumulative capture rate for all feeds is shown via the overlaid 
bar graph. Individual feed status is displayed on dials on the right of the page. 



capture status 



Home Search Status Account System Settings About 




Figure 35. Capture Statistics screen 
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Freeze To Search 

The Freeze To Search button stops the Capture Statistics graph and displays a sliding time bar to 
perform a flow or packet search for the selected time period. Use the slider bar to select the time 
period for the current graph, select Search, and choose Flow or Packet. 

The tabs at the bottom of the view can be selected to see statistics for each individual feed. The 
following table describes per feed capture statistics. 



Table 20. Per Feed Capture Statistics 



Tab 


Parameter 


Description 


Feed# 


feed 


The number of the captured feed for which 
statistics below are being shown. For 
information about feeds, see HHPPS. 




updated 


The time the feed was last updated. 




Mbps 


Shows current capture data rate in Mbps 
format for feed number shown. 




Errors 


The number of frames received with errors 
since the feed was started. 




Mfps 


Shows current capture frame rate in Mfps 
format for feed number shown. 




octets 


The total number of captured octets, in 
millions, since the feed was started. 




sliced 


The number of captured packets that have 
been truncated either due to the adapter 
setting or the default max frame size, which is 
9018 bytes. 




violations 


The number of violations on the feed, 
including small and large frame violations, 
hard-sliced violations, code violations, CRC 
errors, and dribble/nibble errors since the 
feed was started. 
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30. System Status 



System Status 
Overview 



Memory 



This view shows an overall view of basic system health. 
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Figure 36. System Status screen 

Near the top of the screen, you can see the Memory graph. This shows the amount of used, 
cached, and free memory over time. The different types of memory states are shown below. 

Table 21. Explanation of Memory States 



Parameter 


Values 


Description 


Memory 


Used 


The total amount of memory in cache (in megabytes). 


Total 


The total amount of memory (in megabytes). 


Free 


The amount of available memory (in megabytes). 



System Load In the center of the System Status screen, you'll see System Load graph. This graph displays the 

percent of system resources in use over time. System load should not be above 24 for normal 
operation. 

Disk Usage The Disk Usage graph is at the bottom of the screen. On the meters below the graphs, the amount 

of available Capture and Flow Directory disk space (as a percentage of overall capacity) can be 
viewed. 

Link Status Link Status for each capture interface is shown on the right. Green indicates the link is up, yellow 

indicates errors on the link, and red indicates the link is down or no signal is present. 



For PPS Status, the following table provides descriptions of the on-screen indicators. 
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PPS Status 

Table 22. PPS Status Parameters 



Indicator 


Description 


Sync Status 


Status of external 1PPS signal synchronization. Will show "1" if interface 
adapter clock is synchronized to signal being received on external 
adapter 1PPS input. See HammerHead/CPX Installation Guide for info 
on connecting 1PPS input. 


Skew Time (ns) 


Shows the difference (in nanoseconds) between internal adapter clock 
and external 1PPS signal being received. Should be 0 when adapter 
achieves synchronization which may take up to three minutes initially. 
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3 1. Packet Manipulation Toolset 

Your HammerHead/CPX appliance comes with the Wireshark toolset pre-installed at the 
command line level. The PCAP files generated are fully compatible with the Wireshark toolset, 
including: 

• capinfos: reads a PCAP file and returns statistics about that file 

• editcap: edits and converts the format of PCAP files 

• mergecap: merges multiple PCAP files into one 

All PCAP capture files are located in the /capture directory. 
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32. Packet Capture (PCAP) File Format 

PCAP Overview Tnis section describes the packet capture (PCAP) file format. 

File Header The PCAP file starts with the following file header: 

#define NSEC_TCPDUMP_MAGIC 0xalb23c4d 
#define USEC_TCPDUMP_MAGIC 0xalb2c3d4 
typedef struct 

{ 

uint32_t magic;/* NSEC_TCPDUMP_MAGIC or 
USEC_TCPDUMP_MAGIC */ 
uintl6_t ver sion_ma j or ; 
uintl6_t ver sion_minor ; 

uint32_t thiszone; /* UTC to local correction */ 

uint32_t sigfigs; /* accuracy of timestamps */ 

uint32_t snaplen; /* max length saved portion of each frame 

*/ 

uint32_t linktype; /* data link type */ 
} PCAP_F I LE_HDR ; 



Frame Format Following the file header, frames are stored sequentially with a frame header (PCAP HDR) 

followed by the raw bytes of the frame. The header consists of three fields: 

• the time the packet was captured (ts) 

• the length of the portion captured (caplen) 

• the length of the packet on the wire (wirelen) 

Note: If caplen is less than wirelen, packet was "sliced". 

typedef struct 
{ 

PCAP_TIME ts; /* time stamp */ 

uint32_t caplen; /* length of portion captured */ 
uint32_t wirelen; /* length of packet on wire */ 
} PCAP_HDR; 



The time stamp format (PCAP_TIME) consists of two components: 

• the seconds since January 1, 1970, 00:00:00 GMT (also known as "Unix time") 

• the number of microseconds or nanoseconds within the second 

typedef struct 
{ 

uint32_t tv_sec; 

uint32_t tv_nsec; /* nanosecond (or microsecond), 

depending on the magic field */ 

} PCAP_TIME; 

The capture adapter can time stamp frames down to a 10-nanosecond resolution. 



Time Stamp 
Format 
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33. Capture Files and Feeds 



Continuous For continuous capture, your HammerHead/CPX appliance implements a first-in, first-out (FIFO) 

Capture File file rotation scheme. When the /capture and /flow record file systems reach a capacity 

Rotation threshold, a background process automatically purges the oldest files to allow room for current 

packet capture files and flow records. The threshold parameter, HH_FILL_PERCENT, is used to 
define maximum capacity as a percentage of the /capture and /flow file systems. This 
parameter is defined in /etc/default/hammerhead and is set to 80 percent by default. 



Multiple Capture Using the Napatech Programming Language (NTPL), your HammerHead/CPX can be configured to 
Feeds split traffic into multiple feeds. To learn more about NTPL, please contact nPulse support. 

HammerHead/CPX will load and detect multiple feeds as long as the NTPL file meets the following 
requirements: 

• It must setup the packet feed engine using PCAP nanosecond time stamp format and 
STANDARD descriptor 

• It must create the packet feeds 

Traffic from each feed is stored in a separate subdirectory under the /capture directory. The 
subdirectory name for each feed is in numerical order. For example, the first feed is stored in 
directory /capture/0; the second in /capture/1; and so forth. 

The following is an example of an NTPL configuration file with all traffic load-balanced to four 
feeds: 

• HammerHead NTPL configuration with four (4) feeds 
DeleteFilter=All 
HashMode=Hash2TupleSorted 

SetupPacketFeedEngine [TimeStampFormat=PCAP_NANOTIME; Descriptor! 
ype=STANDARD ; MaxLatency=l 0 0 0 0; SegmentSize=1024;Numfeeds=4] 
PacketFeedCreate [NumSegments=256 ;Feed= ( 0 . . 3 ) ] 
Capture [Priority = 0; Feed=(0..3)] = Layer3Protocol == IP 

To change the NTPL configuration file, set HH_NTPL in /etc/default/hammerhead to a 
valid NTPL file. The initial setting for HH_NTPL_CONFIG is the NTPL configuration file 
/opt/hammerhead/etc/hammerhead4 . ntpl. This combines all traffic from active ports 
and uses a hash load-balance to write traffic into four feeds (0 to 3). This is the optimum 
configuration for packet capture performance. 
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34. Capture File System 



Performance Your HammerHead/CPX capture file system (/capture directory) is set up with XFS to achieve 

high throughput write-to-disk operations. The HammerHead/CPX systems are shipped with RAID 
5 or 50 enabled. 



Rebuilding This section describes how to initialize the disk drives in the capture array on an initial installation 

or to reassemble the drive array when upgrading from a previous release. Four options are 
available and detailed below. If performing an upgrade from a previous release, use the 
reassemble command to preserve data currently stored on the capture array. 

• RAID 0 array - provides best performance and full use of all available storage. 
Does not provide redundancy for hard disk failures. From command line, type 
enable to enter privileged mode and type configure HammerHead to enter 
configuration mode. Type build 0. Once complete, reboot using the reboot 
command in privileged mode. 

• RAID 10 array - provides optimum redundancy using RAID 0 on top of multiple 
RAID 1 arrays. All data on RAID 1 arrays is mirrored to separate drives. Write-to- 
disk performance is decreased by about 33% and storage by 50% as it uses half of 
array for redundancy. From command line, type enable then type configure 
hammerhead to enter configuration mode. Next, type build 10. When 
complete, reboot using the reboot command in privileged mode. 

• RAID 50 array - provides optimized redundancy and storage capacity using RAID 0 
on top of RAID 5. One drive from any RAID 5 array can be lost and recovery is 
possible. Write-to-disk performance is decreased by about 33% and storage by 1 
drive on 100 series systems, 2 drives on 300 series systems, and 3 drives on 400 
series systems. From command line, type enable then type configure 
hammerhead. Next, type build 50. When complete, reboot using the reboot 
command in privileged mode. 

• RAID 60 array - provides optimized redundancy and storage capacity using RAID 0 
on top of RAID 6. Two drives from any RAID 6 array can be lost and recovery is 
possible. Write-to-disk performance is decreased by about 33% and storage by 2 
drives on 100 series systems, 4 drives on 300 series systems, and 6 drives on 400 
series systems. From command line, type enable, then configure 
hammerhead to enter configuration mode. In configuration mode, type build 60. 
When complete, reboot using the reboot command in privileged mode. 

• Reassemble existing array - provides reassembly of an existing array with data 
present. Will preserve existing RAID array configurations and data. From 
command line, type enable, then configure hammerhead to enter 
configuration mode. Run reassemble under the configuration options. When 
complete, reboot using the reboot command in privileged mode. 
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HammerHead/CPX 300 and 400 series appliances are equipped with two or more RAID 
controllers. To preserve the data associated with a capture file system, it is important you store 
the drives as a volume (group) if you'll be removing them from the HammerHead/CPX appliance 
while it is powered off. Otherwise, data will be lost. 

Before removing drives from a HammerHead/CPX unit, run identify-raid in the 
/opt/hammerhead/scripts. This script will activate the LED lights of all the drives associated with 
a RAID controller. This lets you remove and store the drives as a set and preserve the RAID 
volume's integrity. 

The identify-raid command is a script that executes the IDENTIFY command with the 
Adaptec uniform command line interface. To use it, pass the parameter 1 or 2 as a command line 
argument. 

For example, this command lights the LEDs associated with RAID controller 1: 

# opt/hammerhead/scripts/identif y-raid 1 
This command lights the LEDs associated with RAID controller 2: 

# opt/hammerhead/scripts/identif y-raid 2 



Identifying RAID 
Volumes 
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Backing Up Current Software and Configuration 

The currently running Hammerhead/CPX software and configuration can be backed up 
to a separate internal FLASH drive. This allows you to revert to a previous version in case 
of system failure or corruption. 

NOTE: This will require the HammerHead/CPX to be rebooted and will interrupt capture 
during the backup process. 

To back up your current software and configuration, take the following steps: 
1. During system startup, select the 'System Rescue Option.' 



GNU GRUB version 1 . 98+Z0100804-14+squeezel 



rHead 3.2. Beta 

rHead 3. 2. Beta (recovery mode) 
rHead 3. 2. Beta -> ttySG 
rHead 3. 2. Beta -> ttySl 
rHead System Rescue 



se the T and 1 keys to select uliich entry is highlighted, 
ress enter to boot the selected OS, * e J to edit the commands 
efore booting or ' c J for a command- 1 ine . 
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When prompted for Keyboard layout type, please let this section timeout. (This 
allows the system to finish initializing in the background). 



[ 4.772578] generic-usb BBB3 : B46B : FF1B . BBB2 : input , h idraul : USB HID vl.lB Mou 
se [American Megatrends Inc. Virtual Keyboard and Mouse] on usb-BBBB : BB : la . 2-2/ i 
nputl 

t 4.979413] ata4: SHTH link doun CSStatus B SControl 3BB) 
[ 5.283952] ata5 : SHTH link doun CSStatus B SControl 3BB) 
[ 5.588481] ata6: SHTH link doun CSStatus B SControl 3BB) 
[ 5 . 589636 ] Free ing unused kerne 1 memory : 634Bk freed 
[ 5.592543] Write protecting the kernel text: 5628k 
[ 5.593515] Write protecting the kernel read-only data: 2364k 
>> Load ing modu les . . . 
>> Load ing key maps 

Please select a keymap from the following list by typing in the appropriate 
name or number. You should prefer the name to the number Cfor example 
type ' f r " instead of ' 16 " ) . Hit Enter for the def au It ' us " keymap . 
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be 
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by 
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br-a 
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br-1 
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bg 
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cz 
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ru 


32 


se 
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sg 
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sk-z 
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37 


trf 


39 


ua 
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uk 


41 


us 


42 


uangbe 


43 


fr_CH 


44 


speakup 


45 


cs_CZ 


46 


de_CH 


47 


sg-latl 


48 


f r-bepo 


49 


co lemak 







default choice CUS keymap) uill be used if no action uithin 2B seconds 
<< Load keymap CEnter for default) : _ 



To back-up the current working system-image to the system rescue drive; run 
the following command: 

/ opt /hammerhead/ scripts/backup_hammerhead . sh 



route add default gw 192.168.x.b CIP address of the gateway) 
■ To be sure there is an ssh server running, type /etc/init .d/sshd start. 

You will need to create an user or to change the root password with passwd. 
Rva liable console text editors nano , vim, qemaes , joe . 
Web browser in the console; el inks www.web-site.org. 

If you need a full Read-Write NTFS access, use Ntfs-3g. 
Mount the disk: ntf s-3g /dev/sdal /mnt/windows 
» Graphical environment ; use either Morg or Xfbdev* 

Type wizard to run the graphical environment (or startx but it may fail) 
X.Org comes with the XFCE environment and several graphical tools: 
Partition manager : . . gparted 

Web browsers : f irefox-8 

Text editors: . . . , . . .gvim and geany 

rDottlsysresccd t /opt /hammerhead /scr ipts/backup_hammerhead . sh 



This version of software and settings will now become the HammerHead/CPX 
System Rescue image. 

After backup is complete, reboot the system to return to normal operation. (See 
Installation Guide). 
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Restoring to Previous Software Configuration 
(System Rescue) 

If the current Hammerhead/CPX software or configuration has failed or become 
corrupted, the system can be booted into System Rescue mode. This lets you restore 
either the original software and configuration, or a previously stored version and 
configuration. 

NOTE: This will interrupt the capture process and require the system to be rebooted. 
To restore the system, take the following steps: 

1. During system startup, select the 'System Rescue Option' 



GNU GRUB version 1 . 98+Z01008O4-l<l+squeezel 




rHead 3 . Z . Beta 

rHead 3. Z. Beta (recovery mode) 
rHead 3. Z. Beta -> ttySO 
rHead 3. Z. Beta -> ttySl 
rHead System Rescue 



se the T and 1 keys to select which entry is highlighted, 
ress enter to boot the selected OS, ' e J to edit the commands 
efore booting or 'c' for a command- 1 ine . 



Loading HammerHead System Rescue 
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2. When prompted for Keyboard layout type, please let this section timeout to 
allow the system to finish initializing in the background: 



[ 4.772578] generic-usb BBB3 : B46B : FF1B . BBB2 : input , h idrauil : USB HID vl.lB Mou 
se [American Megatrends Inc. Virtual Keyboard and Mouse] on usb-BBBB : 80 : la . 2-2/ i 
nputl 

[ 4.9794131 ata4: SflTfl link down CSStatus 8 SControl 3BB ) 
[ 5.2B3952] ata5 : SRTR link doun (SStatus B SControl 3BB) 
[ 5.588481] ata6: SflTfl link doun CSStatus 8 SControl 3BB) 
[ 5.5B9636] Freeing unused kernel memory: 6340k freed 
[ 5.592543] Write protecting the kernel text: 5628k 
[ 5.593515] Write protecting the kernel read-only data: 2364k 
>> Loading modules... 
>> Loading keymaps 

Please select a keymap from the following list by typing in the appropriate 
name or number. You should prefer the name to the number tfor example 
type "fr" instead of ' 16 ' 5 . Hit Enter for the default 'us' keymap. 



1 


azerty 


2 


be 


3 


bg 


4 


br-a 


5 


br-1 


6 


by 


7 


cf 


B 


croat 


9 


cz 


IB 


de 


11 


dk 


12 


dvorak 


13 


es 


14 


et 


15 


f i 


16 


fr 


17 


gr 


18 


hu 


19 


il 


28 


is 


21 


it 


22 


JP 


23 


la 


24 


It 


25 


mk 


26 


nl 


27 


no 


2B 


Pi 


29 


pt 


38 


ro 


31 


ru 


32 


se 


33 


sg 


34 


sk-y 


35 


sk-z 


36 


s lovene 


37 


trf 


39 


ua 


4B 


uk 


41 


us 


42 


uiangbe 


43 


fr_CH 


44 


speakup 


45 


cs_CZ 


46 


de_CH 


47 


sg-latl 


48 


f r-bepo 
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default choice CUS keymap) will be used if no action within 28 seconds 
<< Load keymap (Enter for default): 



3. To restore the system rescue image as the current image; run the following 
command. / opt/hammerhead/ scripts/ install_hammerhead . sh 

NOTE: This will erase all configuration data on your HammerHead/CPX system. Flow and 
capture data can be restored after rescue is complete and system is rebooted. Use the 
reassemble script. For more information, see the Rebuilding portion of Section 34, 
Capture File System. 



route add default gui 192.168.x.b (IP address of the gateway) 

* To be sure there is an ssh server running, type /etc/ in it . d/sshd start. 

You mill need to create an user or to change the root password with passwd . 
Available console text editors : nano, vim, gemacs, joe. 
Web browser in the console: el inks www.web-site.org. 

g : If you need a full Read-Write NTFS access, use Ntf s-3g . 

Mount the disk: ntfs-3g /dev/sdal /mnt/windows 

* Graphical environment : use either Xorg or Xfbdev. 

Type wizard to run the graphical environment (or startx but it may fail) 
X.Drg comes with the XFCE environment and several graphical tools: 

- Partition manager :.. gparted 

- Web browsers: firefox-8 

- Text editors: gvim and geany 

rootEsysresccd X /opt/hammerhead/scr ipts/instal lhammerhead .sh 
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After restore is complete, reboot the system to return to normal operation. (See 
Installation Guide.) 

To restore capture and flow data files once the system is running use the 
reassemble command. See the Rebuilding portion of Section 34, Capture File 
System. 

After booting your HammerHead/CPX software it may need to be configured 
with system settings, because all configuration files are overwritten. If a 
previously running software version was backed up, this will restore 
configuration files from that backup. 
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Additional Documentation 

For more information about the tools and technologies discussed in this guide, visit: 

• PCRE (Perl Compatible Regular Expressions) — http://www.pcre.orq/ 

• Wireshark — http://www.wireshark.orq/docs/man-paqes/ 

• NAGIOS — http://www.naqios.orq/ 

• Puppet — http://puppetlabs.com/ 
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Frequently Asked Questions 

This section answers some common questions about your HammerHead/CPX appliance. 
What is the default login and password? 

For HTTPS, the default username is hammerhead and the password is hammerhead. 

For SSH, the default username is hhadmin and the password is hammerhead. 

How do I access with root privileges? 

Launch a terminal and log into the HammerHead/CPX using the SSH protocol. Enter 
hhadmin as the username and the password. At the command line, type shell. 
Then, type sudo su and enter the password of the hhadmin user. (By default, this 
would be hammerhead.) 

How do I rebuild or restore the /capture file system? 

Section 34, Capture File System, provides details on reassembling/rebuilding the file 
system. 

How do I shut down the system? 

At the shell command line, type: 

# shutdown -h now 

How do I get TCPDump to work with PCAP files using nanosecond time stamp? 

A TCPDump update allows nanosecond-formatted timestamps. Please contact nPulse 
support to get TCPDump update. 

How do I get additional support? 

The nPulse support engineers constantly monitor our support site. Submit your request 
at: http://npulsetech.com/support 
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Technical Support 

HammerHead/CPX technical support is available via: 
Web: http://npulsetech.com/support 
Email: support@npulsetech.com 
Twitter: @npulsetech 
Phone: +1 703-673-0044, ext. 2 
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Appendix 1 



If you need to replace a hard drive, the following provides a detailed mapping of drive 
identification numbers in the Web Ul and their physical location on the 
HammerHead/CPX chassis: 
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Figure 1 Status -> Disk View in Web Ul 



3U boxes (CPX320, 340, 304) 
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4U box (CPX420, 440) (Note: the RAID controller numbers are not in order on this box): 
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41. Appendix 2 

This section provides options available at the command line level. 



Command Line 
Options 



Enable 



Exit 



Your initial options include enable, exit, ping, shell, and traceroute , as seen 
below. 



HammerHead> 




enab Le 


Turn on privileged commands 


exit 


Exit from the CLI 


ping 


Send messages to network hosts 


shell 


Exit to normal command line 


traceroute 


Print the route packets trace to network host 



Figure 37. Command Line Options 



If you select enable, you have access to system configuration options. Note that your password 
is required to move forward. 



HammerHead> enable 

[sudo] password for hhadmin: 

HammerHead* | 



Figure 38. Enable screen 



If you choose exit, you will exit this interface. 



HammerHead> exit 

Connection to 10.7.9.11 closed, 



Figure 39. Exit screen 



Ping 



If you choose ping, the default option pings IPv4 network hosts. You can also ping IPv6 hosts, or 
send an ARP request. 



HammerHead> ping 

ip Send ICMP IPv4 messages to network hosts (default) 
ipv6 Send ICMP IPv6 messages to network hosts 
arp Send ARP requests to a neighbour host 
String Hostname or IP-address to ping 



Figure 40. Ping screen 
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Ping Options 



When you ping either IPv4 or IPv6, you can then choose source, repeat, resolve, 
broadcast, size, interval or flood. 



HammerHead> ping ipv6 fe80: :3e07:54f f :fe@7:fd94 

source Source IP-address (ip) or interface (ip and arp) 

repeat Requests to send count, default is 5 

resolve Resolve names 

broadcast Ping broadcast address 

size Packet size 

interval The time interval between packets, default is 1 

f lood Flood ping 



Figure 41. Ping IPv6 screen 



Selecting ping IPv6 gives you the option to specify the packet size to send, as seen below. 



HammerHead> ping ipv6 fe80: :3e07:54f f :f e07:fd94 size 
Unsigned integer Number of data bytes to send 



Figure 42. Ping IPv6 Screen 



Traceroute 



Selecting traceroute gives you the option to trace to an IPv4 or IPv6. 



HammerHead> traceroute 
ip IPv4 
ipv6 IPv6 

String Hostname or IP-address to trace the route 



raceroute Screen 



Figure 43. T 
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Choosing traceroute ip gives you the options resolve, source, or interface. 



HammerHead> 


traceroute ip 4.2.2.2 


reso Ive 


Resolve names 


source 


Source IP-address 


interface 


Source interface 


<cr> 





Figure 44. Traceroute IP Screen with Resolve, Source, and Interface Options 



Selecting traceroute resolve gives you the option to define your source or 





HammerHead> 


trace!" out e ip 4.2.2.2 resolve 


source 


Source IP-address 


interface 


Source interface 


-o" re- 





Figure 45. Traceroute Resolve Screen 
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